Hacking the Code: ASP.NET Web Application Security

PRObooks

Hackingthe Code: ASP.NET Web Application Security

Are yourWeb applications really secure? That s the question this book poses on itsfront cover. And it s an excellent question to ask, given all the headlinesaround the globe concerning Web site intrusions, trojans, and worms. Althoughthe .NET platform isn t the only one affected by such unscrupulous attempts ofwrongful entry, it s targeted more often because of its popularity and itsMicrosoft association. Consequently, any ASP.NET Web developer should know thatwith power comes responsibility. Hacking the Code: ASP.NET Web ApplicationSecurity educates and illustrates how attacks can occur and how they can beproactively deterred.

Even forless security-conscious developers, this book offers excellent insight into theway ASP.NET manages session states and other frequently leveraged aspects ofthe technology. It also provides ample concern for how easily certain exploits,such as cross-scripting attacks, can be used to gain unauthorized access to aWeb site s data or even compromise the server s access privileges. The goodnews is that the author provides readers with ASP.NET code that can replacepopular, yet insecure, logic with safer, and often more effective, approaches.Although the code samples, presented in both C# and VB.NET syntax, can bedownloaded from the book s Web site, it s only by reading the context of thesuggested replacement that the security recommendations sink in.

The bookcontains 8 chapters and 2 appendixes, ranging from user session management andauthentication, to data access and encryption. Topics are presented in cookbook-style format; that is, a requirement such as resetting forgottenpasswords is followed by a How To discussion containing the do s and don tsof the solution. Each chapter concludes with an exceptional summary of thetopics covered in the form of a Coding Standards Fast Track checklist. Thesechecklists should be actively referenced throughout the development of anyASP.NET application that intends to enforce even a modicum of security. Infact, the book brings to light many lesser-known security considerations thatmay even improve a company s own security policies.

Althougha bit on the expensive side, the book should be thought of as an insuranceinvestment as long as the author s recommendations are heeded. I would havealso preferred to have some discussion on how Intrusion Detection Systems (IDS)could hook into ASP.NET applications to further improve alerts of strange orunauthorized activity. However, IDS is well covered in another Syngress book, Snort2.1 Intrusion Detection, Second Edition (http://www.syngress.com/catalog/sg_info.cfm?pid=2950).Perhaps Microsoft will address the vulnerabilities described in this book infuture ASP.NET releases. But for now, it s up to the developer to ensure thattheir code follows secure and defensive coding best practices. Hacking theCode: ASP.NET Web Application Security serves as a robust shield in thehostile virtual world of the Internet.

I highlyrecommend this book to any ASP.NET developer working with sensitive data.Implementing its many recommendations might one day save your company from anembarrassing and potentially costly situation.

Mike Riley

Rating:

Title: Hacking the Code: ASP.NET WebApplication Security

Author: Mark Burnett

Publisher: Syngress Publishing

ISBN: 1-932266-65-8

BookWeb Site: http://www.syngress.com/catalog/sg_main.cfm?pid=2680

Price: US$49.95

PageCount: 448 pages